Thank Me Later <= 3.3.4 – Admin+ Stored Cross-Site Scripting | CVE 2022-1063 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Add/Edit a message and put the following payload in the Subject field: "><img src onerror=prompt(/XSS/)>

The XSS will be triggered in the Messages list (/wp-admin/admin.php?page=bbpp_thankmelater)

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ankur Bakre

Submitter

Ankur Bakre

Submitter website

https://www.linkedin.com/in/ankur-bakre-99320316b/

Verified

Yes

WPVDB ID

f90c528b-8c3a-4f9a-aa36-099c24abe082

Timeline

Publicly Published

2022-03-28 (about 2 years ago)

Added

2022-03-28 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2023-12-01

Title

Seraphinite Accelerator < 2.20.29 - Reflected Cross-Site Scripting via rt

Published

2024-03-06

Title

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.1.5 - Unauthenticated Stored Self-Based Cross-Site Scripting

Published

2022-05-30

Title

Newsletter < 7.4.6 - Admin+ Stored Cross-Site Scripting

Published

2021-08-13

Title

Smart Email Alerts <= 1.0.10 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

HK Exif Tags 1.11 - hk_exif_tags.php hk_exif_tags_images_process Function EXIF Tags H&ling Stored XSS